Introduction
Most identity maturity assessments produce a score. That score goes into a slide deck. The slide deck goes to the board. And six months later, your identity program looks exactly the same as it did before the assessment started. The ritual completed. The risk did not change.
Identity is the control plane for everything else you've built. Your SIEM catches threats after they move. Your EDR catches malware after it executes. But identity is where attackers live before any of that happens. Compromised credentials are the entry point in over 80% of breaches. If your identity program is immature, every other control you've funded is compensating for that gap at a premium.
The problem is not that CISOs don't know identity matters. The problem is that most identity maturity assessments measure the wrong things. They measure tool deployment, not control effectiveness. They measure policy existence, not policy enforcement. They measure what you have, not what actually works when an attacker tests it. This article is about the gap between those two things, and how to close it.
Browse the Full Cybersecurity Market: 118 Categories, 9,000+ Tools.
The Standard Maturity Model Measures Artifacts, Not Outcomes
Most frameworks, CMMI-derived or otherwise, ask whether you have a policy, whether you have a tool, and whether you have a process. Check, check, check. Level 3 achieved. Your auditor is satisfied. Your identity program is still broken.
The artifact problem is real. A password policy that nobody enforces is not a control. An MFA deployment that covers 60% of your workforce is not MFA. A privileged access management tool that IT bought three years ago and never fully configured is not PAM. These are artifacts. They exist. They do not protect.
When you build your assessment framework, the first question for every control should not be 'do you have this?' It should be 'what percentage of in-scope accounts does this actually cover, and how do you know?' That single shift changes everything about what your assessment finds.
Coverage Gaps Are Where Breaches Actually Happen
Your MFA rollout covered all employees. It did not cover service accounts. It did not cover your 47 third-party vendors with direct system access. It did not cover the legacy application that your ERP team refuses to migrate because it 'still works fine.' Those gaps are not edge cases. They are the attack surface.
A mature identity program maps every account type against every control. That mapping usually reveals something uncomfortable. Here is the account inventory most programs are missing:
- Human accounts: Employees, contractors, part-time staff, interns
- Service accounts: Application-to-application, scheduled tasks, CI/CD pipelines
- Privileged accounts: Domain admins, cloud root accounts, database superusers
- Third-party accounts: Vendors, managed service providers, auditors with direct access
- Orphaned accounts: Former employees, decommissioned systems, forgotten integrations
Most programs have solid coverage on the first category and deteriorating coverage on every category after it.
The coverage gap is also a budget conversation. When you show your CFO that 23% of accounts with privileged access have no MFA, that is not a compliance finding. That is a quantifiable risk exposure. It is also a specific, fundable remediation project with a defined scope.
Privileged Access Is the Highest-Stakes Gap in Most Programs
Privileged access management consistently scores as the lowest-maturity domain in identity programs. Not because CISOs don't understand it. Because PAM is operationally painful to implement fully. It creates friction for the people with the most organizational power to push back: your senior engineers, your IT directors, your database administrators.
The organizational resistance to PAM is a leadership problem, not a technical problem. If your CISO predecessor tried to implement session recording for privileged accounts and got overruled by the CTO, that history lives in your program. You inherit the gaps along with the org chart.
Assess PAM maturity across four dimensions, not one:
- Discovery: Do you know every privileged account that exists?
- Vaulting: Are credentials stored and rotated in a PAM solution, or in a shared spreadsheet?
- Session control: Are privileged sessions recorded and reviewable?
- Just-in-time access: Are standing privileges eliminated, or does everyone have always-on admin access?
Most programs score well on vaulting because that is what vendors demo. They score poorly on discovery and just-in-time because those require process change, not just tool deployment.
Lifecycle Management: The Slow Leak That Compounds Over Years
Joiner-mover-leaver processes sound boring. They are also where identity risk accumulates quietly over years. Every time someone changes roles and keeps their old access, your least-privilege posture degrades. Every time an employee leaves and their account sits active for two weeks because HR and IT are not synchronized, you have an open door.
The math compounds fast. If your organization has 2,000 employees and 15% change roles annually, that is 300 access reviews that need to happen correctly every year just to maintain your current posture. If your mover process has a 20% failure rate, you have 60 accounts per year with excess access accumulating. Over three years, that is 180 accounts. Each one is a potential lateral movement path.
Assess your lifecycle process by pulling a sample, not by reviewing the policy. Take 20 accounts from employees who changed roles in the last 12 months. Check what access they had before, what they have now, and whether the delta makes sense. That sample will tell you more about your actual maturity than any questionnaire.
Identity Governance Without Enforcement Is a Compliance Theater Production
Quarterly access reviews are the canonical example of ceremonial security. Your team spends two weeks pulling reports, sending emails, and chasing down managers who rubber-stamp approvals without reading them. Your auditor gets a signed attestation. Your access posture does not change.
The problem is not the review cadence. The problem is that most access review processes have no enforcement mechanism. If a manager certifies that an account should be removed and nothing happens for 30 days, the review was theater. If a manager approves access that violates your separation of duties policy and the system accepts it anyway, your governance is decorative.
Mature identity governance has three properties that most programs lack:
- Automated remediation: Revocations execute within hours, not weeks
- Policy enforcement at provisioning: Toxic combinations are blocked before they are created, not flagged after the fact
- Meaningful exception tracking: Every policy exception is documented, time-limited, and reviewed at a defined interval
If your IGA tool can flag violations but cannot enforce them, you have a reporting tool, not a governance tool.
How to Score Your Program Without Fooling Yourself
The most honest identity maturity assessment is adversarial. Before you score yourself, ask: if a red team started with one compromised employee credential today, how far could they get? That question cuts through artifact-based scoring immediately.
For a structured assessment, score each domain on two axes: coverage and effectiveness. Coverage is the percentage of in-scope accounts or systems where the control applies. Effectiveness is whether the control actually works when tested. A control with 100% coverage and 40% effectiveness is not a mature control.
Here is a practical scoring framework for the five core identity domains:
| Domain | Coverage Score (0-5) | Effectiveness Score (0-5) | Combined Maturity |
|---|---|---|---|
| MFA | % of accounts covered | Tested bypass resistance | Average |
| PAM | % of privileged accounts vaulted | JIT adoption rate | Average |
| Lifecycle | % of role changes reviewed | Sample audit pass rate | Average |
| Governance | % of access reviewed quarterly | Remediation completion rate | Average |
| Directory hygiene | % of stale accounts removed | Orphan account rate | Average |
Score each domain honestly. The domains where coverage and effectiveness diverge are your real risk exposure.
Translating Assessment Findings Into a Board-Ready Risk Narrative
Your board does not want a maturity score. They want to know what the score means for the business. 'We are at Level 2.3 on identity maturity' communicates nothing to a board member who runs a manufacturing company. 'We have 340 accounts with privileged access and no MFA, which means a single phishing email could give an attacker domain admin access' communicates risk.
Translate every major finding into a business impact statement. Use the format: 'If this gap is exploited, the likely outcome is X, with an estimated impact of Y.' You do not need a precise dollar figure. You need a plausible scenario that connects the technical gap to a business consequence the board already worries about: ransomware, regulatory fines, customer data exposure.
The remediation roadmap that follows the assessment should be sequenced by risk reduction per dollar spent, not by technical elegance. Closing the MFA gap on privileged accounts costs less and reduces more risk than deploying a new IGA platform. Show that math. It builds credibility and makes budget conversations easier.
Building the Remediation Roadmap Without Burning Out Your Team
Identity remediation projects fail for two reasons. First, they are scoped too broadly. 'Implement PAM across the enterprise' is not a project. It is a program that will take 18 months, lose executive sponsorship at month 6, and get cancelled at month 12 when the budget cycle resets.
Second, they underestimate the operational change required. Deploying a PAM tool is 20% of the work. Getting your 15 most senior engineers to check out credentials from a vault instead of using their personal admin accounts is 80% of the work. That 80% requires executive air cover, change management, and a clear answer to 'what's in it for me.'
Structure your roadmap in 90-day increments with measurable outcomes at each milestone. A realistic 12-month identity remediation roadmap for a mid-size organization (1,000 to 5,000 employees) looks like this:
- Days 1-90: Complete account inventory, close orphaned accounts, enforce MFA on all privileged accounts
- Days 91-180: Deploy or configure PAM for top 20% of privileged accounts by risk, establish automated lifecycle triggers from HR system
- Days 181-270: Extend PAM coverage, implement automated access review remediation, establish SoD policy enforcement at provisioning
- Days 271-365: Achieve JIT access for critical systems, complete IGA integration, establish continuous monitoring baseline
Each milestone produces a measurable risk reduction you can report to the board. That reporting cadence keeps the program funded.
Frequently Asked Questions
External assessments from a credible firm run between $50,000 and $150,000 depending on scope and organization size. Internal assessments cost staff time, typically 200 to 400 hours for a thorough effort. The honest answer is that internal assessments are more accurate because your team knows where the bodies are buried, but they are also more likely to be optimistic. Use an external firm when you need board-level credibility for the findings, or when you suspect internal politics are obscuring the real picture.
Conclusion
Identity maturity assessment is only useful if it produces honest findings and funded remediation. Most programs get the assessment and skip the honesty. They score themselves on what they have deployed rather than what actually works, present a number to the board, and move on. The risk does not move with them. Start with coverage and effectiveness as your two scoring axes. Translate findings into business risk language before they reach the board. Sequence remediation by risk reduction per dollar, not by technical ambition. And check your work adversarially: if a red team with one compromised credential could reach your crown jewels, your maturity score is aspirational, not operational. Close that gap first. Everything else follows.
Stop Guessing About Vendor Health. Start Querying It with MCP.